XSS Vulnerability - 2 - Githubissues

golanorbi commented 2 years ago

Is there a Drupal 6.60 release that fixes the following XSS vulnerabilities?

An XSS vulnerability has been found in Drupal Core that is related to the jQuery UI contrib module:

CVE-2021-41182: XSS in the altField option of the Datepicker widget [5]
CVE-2021-41183: XSS in *Text options of the Datepicker widget [6]

Furthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update [7] module:

CVE-2016-7103: XSS in closeText option of Dialog [8]
CVE-2010-5312: XSS in the title option of Dialog [9] (applicable only to the jQuery UI version included in D7 core)

Important note regarding the jQuery Update contrib module

These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.

However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.

Please check the jQuery Update project page [11] for more details, and for announcements when the changes are made to supported releases.

For more details:

https://www.drupal.org/sa-core-2022-002

The suggested solution:

Install the latest version:

If you are using Drupal 7, update to Drupal 7.86 [12]

dsnopek commented 2 years ago

This is about a vulnerability in jQuery UI, which isn't included in Drupal 6 core. However, there was a security release made for the jquery_ui module:

https://github.com/d6lts/jquery_ui/releases/tag/6.x-1.6

golanorbi commented 2 years ago

It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.

It says that the fix was made in Drupal Core, and not in jQuery UI module. jQuery UI module stayed untouched regarding this vulnerability. So, is there a plan to issue a Drupal 6.60 to fix this?

Akiracr commented 2 years ago

If you review the differences between drupal-7.85 and drupal-7.86 you could realized that jquery_ui is part of drupal 7 core, that is not the case in Drupal 6.

Thats why only the module jquery_ui is affected.

d6lts / drupal

XSS Vulnerability - 2 #71